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We show that three principle means of treating privacy amplification in quantum key distribu- 
tion, private state distillation, classical privacy amplification, and via the uncertainty principle, are 
equivalent and interchangeable. By adapting the security proof based on the uncertainty principle, 
we construct a new protocol for private state distillation which we prove is identical to standard 
classical privacy amplification. Underlying this approach is a new characterization of private states, 
related to their standard formulation by the uncertainty principle, which gives a more physical 
understanding of security in quantum key distribution. 



Privacy amplification is the art of extracting a secret 
key from a string which is partially-known to an caves- 
dropper [lj, [2j]. In quantum key distribution (QKD) it 
plays a vital role as the protagonists, Alice and Bob, 
would like to transform their shared, but not secret, raw 
key into a verifiably secret key even when the eavesdrop- 
per Eve has tampered with the quantum signals. 

Heuristically, privacy amplification works by applying 
a suitable randomly-chosen function to the raw key which 
scrambles and shortens it so that Eve's limited knowledge 
of the input tells her nothing about the output. The 
canonical example is using a random public string and 
computing the XOR with the original string. Provided 
Eve's information is not too large, Alice and Bob can be 
confident that the output will be secret. 

Broadly speaking, QKD has historically taken three 
main approaches to privacy amplification. Each is char- 
acterized by its treatment of the states held by the var- 
ious parties to the protocol. The first focuses on Eve's 
marginal state conditional on the key string, which she 
obtains in the course of eavesdropping. Applying a ran- 
dom function to the key string results in new marginal 
states for Eve which are essentially identical. We term 
this method classical privacy amplification as it is an 
adaptation of privacy amplification against classical ad- 
versaries. It can be traced through the sequence of pa- 
pers 1,0,1,0,0]. 

The remaining two approaches focus either concretely 
on the states held by Alice and Bob, including any aux- 
iliary systems, or abstractly on the key itself. In the 
former, privacy amplification is recast as a virtual form 
of private state distillation in which Alice and Bob trans- 
form their initial shared quantum state into a private 
state, a state which yields secret keys upon measure- 
ment Maximally entangled states are a subset of 
private states, so this method includes the techniques of 
applying entanglement distillation to privacy amplifica- 
tion developed in jjj Ell EH and the subsequent work 
employing the technique of Shor and Preskill. Means for 
distilling more general private states were found in . 

The latter approach of focusing abstractly on the 
key itself, irrespective of its realization by either honest 



party and disregarding any auxiliary systems not held 
by Eve, was employed in the first QKD security proof 
by Mayers [HI], subsequently improved by Koashi and 
Preskill 14(, and finally culminated in a secu rity proof 
based on the uncertainty principle by Koashi [151 ]. Here 
privacy amplification is viewed as a means of creating a 
virtual Pauli X eigenstate and then obtaining the key by 
measuring the conjugate Z observable. 

In this letter we draw these three threads together and 
show they are equivalent when privacy amplification is 
based on linear functions. We do so by adapting Koashi's 
proof to give a new method of private state distillation 
and then prove it is identical to classical privacy am- 
plification. The distillation technique follows from a new 
characterization of private states which is complementary 
to their standard description in the sense of the uncer- 
tainty principle. This unifies various approaches to the 
security of QKD, allowing the various means of treating 
privacy amplification to be interchanged. Moreover, it 
provides a more physical picture of how security arises 
from quantum mechanics. 

The new private state distillation method significantly 
generalizes that presented in 



12] 



which directly ap- 
plied entanglement distillation techniques. Correction of 
phase errors afflicting the key subsystems becomes eas- 
ier for private states as the shield can store phase er- 
ror information. Thus, not all phase errors need be cor- 
rected, increasing the secret key yield above the entan- 
glement yield. However, the resulting rates still do not 
always match those of classical privacy amplification as 
the shared state is not always a classical mixture of states 
subjected to various phase errors. 

Our results are presented as follows. We first show 
how the uncertainty principle inspires dual descriptions 
of private states. Then the method of classical privacy 
amplification is shortly recounted before proceeding to 
the new approach to private state distillation. The details 
of the derivation of the secret key rate are presented from 
which the equivalence of the methods follows. Finally, we 
conclude with a view to open problems and related issues. 

Secret Keys and Private States. — A perfect secret key 
shared by Alice and Bob is a uniformly-distributed 
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random variable about which Eve has zero informa- 
tion. Thus a perfect secret bit is defined as kabe — 
(l EiU P a ® ffl) ® P£ for any where P fc = 



Private states are those quantum states for which in- 
dependent measurements by Alice and Bob yield a secret 
key. For secret bits, our focus in the remainder of the pa- 
per, these measurements might as well be standard basis 
measurements on the qubit key registers A and B. The 
overall state can be purified by including additional sys- 
tems, be they shield systems S under the control of Alice 
and/or Bob or Eve's systems E. A private state jabse 
is then a pure state of the form 

-J= \ kk )ABV s k \OsE = Uabs\*)ab\OsE, (1) 



where the unitaries V k as well as the state |£) are arbi- 
trary. The state |<I>) is the canonical maximally-entangled 

state and the unitary Uabs — £j k P ab ® Ks' " i s called 
a twisting operator. 

The fact that private states lead to secret keys and 
secret keys come from private states immediately fol- 
lows (cf. Theorem 2 of 16|). Measurement of a pri- 
vate state ^abse immediately yields kabe with pe — 
£e- Conversely, suppose jabse is a pure state yielding 
kabe under the prescribed measurement. It follows that 
\i)abse = ^ Efc \kk)AB\<f k )sE for some arbitrary nor- 
malized states \ip k ) and furthermore, that ip E = pe for 
all k. Calling \£)se the purification of pe, we must have 
\ip k )sE — Vg\£)sE for some unitaries Vg since all purifi- 
cations of the same state are related by unitaries on the 
purifying system. We have implicitly proven 

Theorem 1. A pure state ^abse is a private state if 



and only if (a) Pj^ 
7b = 1e S or al1 i; k - 



Tr[7. 



ABSE P AB \ 



p ab\ = and (b) 



This formulation is straightforward: Eve can obtain no 
information about the key when all her marginal states 
are identical. The approach of classical privacy amplifica- 
tion is to prove the shared output state has this property. 

A different characterization of private states follows 
from considering a hypothetical measurement by Alice 
in the x-basis. This produces conditional states of the 
BS subsystem: a BS = 2 a (x \jabs I x) a, where \x) is the 
ccth cc-basis state. Then one has 

Theorem 2. A pure state "/abse is a private state if 
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and only if (a) p hk = Tr[j A BSE P' AB 
a BS a BS = f° r all j ^ k. 

Proof. Suppose ^abse is a private state, for which con- 
dition (a) is satisfied by inspection. The states BS condi- 
tional states are a BS — Z B U B s(P B ® £s)U BS Z B , where 
the unitary U B s=J2k P B ® V§ for P s = \x)(x\, and 



Z x is the xth power of Z, in contrast to all other up- 
per indices appearing herein. Since [Zb, U B s]=0, o~ bs = 
Ubs(P% ® £s)U BS , and (b') follows immediately. 

Conversely, by condition (a) we have \^)abse — 
"7f Efc \kk)AB\f k )sE- From the Schmidt decomposition 

\<P k )sE 



Ei\/^ k M)sWt)E define Y k =^ip k V k for 

unitary V k so that \<p k ) S E = J2e Y s\ ei )sE- Here 
V k =L k (R k ) T using the unitaries L k \£) = \p k ) and 
R k \tj=\v k ). Now we can write a BS — Z B a B sZ BS 
for o-bs = i£ 3 -Ji)fl<*l ® Y£(Y k y. " Condi- 
tion (b') then i mplies ( y°)t Y° = (Y^Y 1 . 
Defining \Ose = y/&s ) f Y S E i\f)s\t) E we obtain 
Vs\Ose= \f k )sE and thus the operator U B s produces 
the private state: \j)abse = U B s\®)ab\Qse- □ 



We can understand the relationship between these two 
characterizations as an instance of the uncertainty prin- 
ciple, which in entropic form requires that the sum of en- 
tropies of x- and z-basis measurements must not be less 
than unity [171 ]. Theorem 1 implies that Eve's entropy of 
Alice's z-basis measurement (i.e. the key) is itself unity. 
Complementarily, theorem 2 means Bob's entropy (ac- 
tually Bob and shield) of Alice's x-basis measurement is 
zero, so Eve's entropy of z must be not less than unity. 

Classical Privacy Amplification. — An ideal privacy am- 
plification protocol would output a perfectly secret key 
key from the input of only partially secret data. This is 
too optimistic for practical applications however, and in 
this section we recapitulate the formulation of protocols 
which distill an approximately secret key. We say pabe 
is e-private when ||pab_e — kab.e||i < 2e. This definition 
ensures the key can be safely composed with any other 
cryptographic task and moreover, we can interpret the 
definition as saying that the actual key pabe is really the 
ideal key kab e with probability at least 1 — e [1, HH [IH . 

Here we assume that the input to privacy amplifica- 
tion is iPabe' where ipABE = \ Efc p ab ® Pe describes a 
shared but not necessarily secret bit. In QKD this prod- 
uct state is the product of a collective attack in which 
Eve tampers with each signal individually. More general 
coherent attacks have been dealt with by randomly per- 
muting the quantum signals after receipt and then show- 
ing that privacy amplification can extract the same key 
from the resulting state as from a product state [3, |2C| . 

Now, for K the classical random variable held by Alice 
and Bob, and / the quantum mutual information, one 
can show 

Theorem 3 (0,0))- There exists a privacy amplification 
scheme to extract n[l — I(K:E)] secret bits from iPabe> 
for n — > oo . Moreover, this is the maximum possible rate. 

The scheme in Q works by selecting a function at ran- 
dom and applying it to each of the A and B systems; the 
output size of the function is n[l — I(K:E)) bits. The 
crux of that proof is a result on measure concentration, 
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the generic term indicating when a random variable is ex- 
ponentially likely to be very close to its mean value. The 
random variable in this case is Eve's state ip E , where 
k e {0, 1}™. Initially Eve's conditional states are not 
close to the mean, but averaging over some of the k pro- 
duces a new random variable which is. This partial aver- 
age comes from regarding the random function as picking 
a random reversible function on the length-n strings and 
then discarding (averaging over) the last nI(K:E) bits. 

The privacy amplification function need not be com- 
pletely random; as shown in [4] any 2-universal family 
of hash functions suffice. This includes random linear 
hashing, which we will use for private state distillation. 

Private State Distillation. — As in classical privacy am- 
plification, the goal of private state distillation is to dis- 
till a state close to a private state, again measured by 
the trace distance. Since the key measurement is itself a 
quantum operation, an output state e-close to a private 
state results in a key at least e-close to k A be- 

Koashi's method is to distill an X eigenstate in a single 
abstract key register; its immediate application to private 
states is obscured by the need to respect the form of the 
twisting operator. But by using a linear hash function for 
privacy amplification we can neatly avoid this problem. 
The essential point remains that the honest parties have 
full information about an observable conjugate to the key. 

Initially Alice, Bob, and Eve share ipABE' which can 
be purified using the shield system S to the state 



ABSE 



\0n 
I ABSE 



= i^|x} A ^|k> s |^> 



SE ■ 



(2) 



k,x 



Generally, Bob cannot perfectly predict the outcome x' 
of Alice's hypothetical ir-basis measurement since his in- 
formation is limited by the Holevo quantity \ of the en- 



semble £ = {^,p BS }, where p x BS = 2 A {x\ip A Bs\x) a [21 1- 



But then the distillation strategy suggests itself: have 
Alice provide Bob the missing information. If she nar- 
rows the possible p BS to a suitably-random set of size 
2nx(£) ) then the HSW theorem indicates that with high 
probability Bob can determine x' [22j. 

Having sketched the method roughly, we now turn to 
the details. Alice's announcement consists of the bits 
hi = U; • x' for n[l— x(£ )] randomly chosen u^, i.e. a ran- 
dom linear hash of x'. This can be thought of as the re- 
sult of measuring the observables X Ui , which define Pauli 
X operators for a set of "encoded" qubits. The comple- 
mentary subsystem of encoded qubits is associated with 
the set of Z Vj , where U; • Vj ■ = for all i,j. Thus we can 
decompose the space of Alice's (Bob's) physical qubit sys- 
tems into virtual systems A±,A2 (B\,Bi) corresponding 
to the observables Z Vj and X Ui , respectively. The post- 
announcement state is \^')a 1 bse = a 2 (^\Z b \$}abse, 



*')A lB SE = ^Y i \y)MZl 1 \l)B 1 W t )B 2 SE, (3) 

y " 



where \^)b,se = ^-^H £ m |m) Ba \^)se, 
since Bob can apply Z B2 after learning h from Alice. 
He is left to distinguish the states g BS = Zg ^f' BS Z B . 
Note that system B^ has now become part of the shield. 

A slight modification of the HSW theorem ensures that 
with high probability the pretty good measurement [53| 
can distinguish the g BS with arbitrarily small probabil- 
ity of error. The theorem originally applies to the distin- 
guishability of random subsets of p BS and here we have 
a random subspace. However, in the Appendix we show 
that the standard proof can be easily adapted to this 
case, and in fact more generally to the use of 2-universal 
hashing. Bob's measurement has elements 



Els 



T 



T 



BS> 



(4) 



for T B s = E y n Bsn^ s n BS , and n^ s (U B s) the projec- 
tion onto the typical subspace of g BS ((g BS )), the sub- 
space spanned by eigenvectors whose eigenvalues are near 
the likely value. Here (•) denotes the average value. 

We can determine the E^ s explicitly and thereby ob- 
tain the twisting operator. Note that Z Bi g BS Z Bi = 

%kx 12i,i> ® ^e[W')b 2 se{^ 1 '\\, meaning that 

system B2S determines typicality in both Hbs and f^BS- 
Following the proof of Theorem 2 we may then define 
Y B<iS so that ffBsffss^BS becomes 



B 2 S 1 B 2 S 



(5) 



Direct calculation gives T BS = 2" x Tji p b^ ® Y ^ S Y B \ S 
and the square root of the (pseudo) inverse follows. 

Now consider the unitary V which comes from the 
polar decomposition Y l — y/Y e (Y e )t V e ; with it we can 
write 



4 S = ^(^E«I®^ ^ 

tx' 



'B 2 S y B 2 S 



J B X - 



(6) 



Defining the Ubs = P Bl ®Vb 2 s we can express this in 
the more appealing form E BS — Ubs(Pb 1 ® ^-B 2 s)U BS . 

Thus, Bob's strategy is to untwist the shield as best 
he can and then measure his key system in the x-basis. 
He and Alice obtain the same outcome with probability 



2 2n x 



E 



B 2 SE 



\Vl S V^% 2 SE. 



(7) 



If Bob can determine y with high probability, P, ps 1, 
and U BS functions as an untwisting operator. Defin- 
ing \®")aiBSE = U bs \^') Ai bse, the squared fidelity of 
^a 1 b 1 with equals P s . Then P s > 1-e 2 implies 

Wa! Bi ~ < 2e and therefore W) Ai bse is 

e-private. Altogether we have sketched a proof of 
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Theorem 4. There exists a distillation procedure to dis- 
till nx{£) private states from 4>abs f or n ~~* 00 • 

Note that this is the same rate found by Koashi. Now 
the associated method of classical privacy amplification 
is simple. The key is the result of measuring Z Vj which 
commutes with the private state distillation procedure. 
This key can just as well be reconstructed from individual 
Z measurements directly and inherits privacy from the 
virtual procedure. 

Theorems El and H] give the secret key rates \—I{K:E) 
and x(£)j corresponding to distillation procedures follow- 
ing from the two descriptions of private states, respec- 
tively. Since these descriptions are equivalent, we expect 
the associated distillation methods to have the same rate. 
This intuition can be confirmed either by direct calcula- 
tion or by appealing to upper bounds applicable to either 
scenario. By the results of [H, x(£) < 1—I(K:E). Con- 
versely, 1—I(K:E) < x(£) or else by performing the clas- 
sical privacy amplification coherently, as detailed in 
Bob would effectively be able to distinguish more of the 
states p^ s than possible. 

Conclusions. — We have found that the three principle 
means of treating privacy amplification are essentially 
identical and interchangeable. The dual descriptions of 
private states on which the respective distillation meth- 
ods rest are shown to be elegantly related by the un- 
certainty principle. This provides an immediate and in- 
tuitive understanding of how the quantum information 
about the key is balanced between the eavesdropper and 
shield and how the secret information can be extracted. 

Care must be taken to incorporate these results into 
QKD security proofs. Here Alice and Bob begin with a 
known state \iP)abse, whereas one of the main tasks of a 
key distribution protocol is to reliably estimate the state 
shared by the various parties. The presence of a shield 
system makes this task more difficult, but recent work 
demonstrates how to estimate the parameters relevant 
to private state distillation [25j |. 

Reduction of coherent attacks to the case of collective 
attacks studied here is similarly intricate. This reduction 
has been accomplished by creating a permutation invari- 
ant state fl^BE by randomly scrambling the order of the 
quantum signals and then demonstrating that the cho- 
sen key distillation method produces just as many secret 
bits as from the product input V'abb- ^ remains to be 
shown that when including the shield system this sort of 
reduction method still applies. In particular, Bob must 
still be able to distinguish the p^ s even though the x are 
no longer independently and identically distributed. We 
will report on this in a future publication. 

Finally, our result on achieving the Holevo bound using 
2-universal hashing may be of independent interest. 
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Appendix — Given a source described by the ensemble 
£ — {Px, Px}t = i which distributes letters x to Alice and 
states p x to Bob, we seek a protocol which enables Bob 
to learn x and consumes few resources as possible. The 
idea is for Alice to send Bob some (minimal) amount 
of information about x so that he can then perform a 
measurement to distinguish between the quantum states 
consistent with this information. 

2-universal hashing can be used for this purpose. A 
family of functions / : X — > y is 2-universal if Pr[/(x) = 
f{x')] < l/\y\ for all x ± x' e X. Note that random 
linear hashing, as used in the main text, is 2-universal. 
Suppose Alice applies a random / from the hash fam- 
ily to a block (length- n string) x of letters, using X = 
{0, 1, . . . , d-l} n . Then Bob will be left to distinguish be- 
tween the elements of {p y = p yi ®- ■ -®p Vn | /(y) = /(x)}, 
for which he uses the measurement as defined in 

Eq. 21 with the slight change that E y = when y is 
nontypical. This rejects nontypical signals, which are in 
any case exceed ing ly rare. Adapting the presentation in 
Appendix B of [26( shows this protocol will have low er- 
ror probability. We now specialize to d = 2, but the 
argument is essentially the same for the general case. 

Given a function /, the average probability of error is 
given by P E]/ = £ x p x Tr[p x (l _ £/)]. Lemma 2 of 
states that 1- (S + T)~ 1 / 2 S(S + T)- 1 / 2 < 2(l-5) + 4T 
for < S < 1 and T > 0, which we can apply to E£ 
using A x = nn x n as S and X) x '^ x A x / as T to obtain 

P E]/ < 2 - 2 Px (Tr[p x A x ] - 2 £ Tr[p x A x ,]) , (8) 

x x'^x 

/«=/(*') 

where p x = Pxi"Px n When x is typical, Tr[p x A x ] > 
1 — 3e and by construction A x = when x is not typical. 
Moreover, the total probability of typical strings exceeds 
1 — e, so we obtain 

P E |/<8e + 4^p x ^Tr[ Px A x ,]. (9) 

x x'^x 

/(*)=/(*') 

Now average over the possible /: 

P E < 8e + 4^p x J2 Pr[/(x')=/(x)]Tr[p x A x ,] 

x x'^x 

^ 8e+^$>x£Tr[p x A x ,] 

^ 8e+-^5> x Tr[p x A x ,] 

= 8e+ A^Tr[p»"A x ,] (10) 

X 7 
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To evaluate the trace, note that Tr[/>®"A X /] = 
TrTJ^ILW]. Since Tlp® n Tl < 2-^ s(p ^Il (Eq. 19 
of [26[) we have 

2 -n[S(p)-8] 

Pe<8 £ + 4 — ]TTr[A x ,]. (11) 

But again A x / = for nontypical x' while Tr[A X '] < 
2«E J P J s(p J )+'5] otherwise ( Eq m ^ i eading to 



P E < 8e + 4 



2 -n[x(£)-2«] 



xSTyp 



(12) 



Finally, the size of the typical set is less than 2 n[H{ ^ )+5 \ 
so putting it all together we have 



P E < 8e + 42 n[HiPl) - x( - £)+3S] \y\~ 1 . 



(13) 



By choosing log 2 \y\ = n[H{pi) — %(£) + 4(5], the proba- 
bility of error can be made arbitrarily small. 

Since Bob ultimately learns x, an information gain 
of H(pi) bits, but Alice only provides H(pi)—x(£), the 
quantum states themselves provide on average x{£) bits, 
in accordance with the Holevo bound. 
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